Cybersecurity analysts at WithSecure report a steady uptick in highly targeted cyber activities utilizing Remote Monitoring and Management (RMM) tools, deceptively embedded within PDF documents.
This ongoing campaign primarily targets organizations in France and Luxembourg, favoring a low-volume but high-value approach.
Attackers deliver socially engineered emails containing ostensibly legitimate PDFs such as invoices, contracts, or real estate listings with embedded links that initiate the download of RMM installers.
These PDFs, often carefully localized to the victim’s language and sector, aim to entice recipients into executing the installer, thereby granting adversaries a stealthy foothold in enterprise environments.
Legitimate Tools Turn Vectors
RMM solutions, while fundamental to legitimate IT administration, have gained notoriety among threat actors for both initial access and persistent presence on networks.
By leveraging these “clean” and widely trusted tools, attackers can easily bypass most email and malware defenses.
Once installed, RMM agents provide remote access, facilitate privilege escalation, disable endpoint protections, and pave the way for further malicious payloads, including ransomware.
This tactic, not new in itself, echoes activity seen among ransomware syndicates such as Black Basta, Royal, and BlackCat, who have impersonated IT support to coax users into self-compromise with seemingly innocuous software.
The campaign tracked by WithSecure appears spearheaded by actors with deep familiarity of European languages and industries, particularly targeting sectors like banking, energy, government, and constructionfields where breaches can yield substantial financial returns.
Luxembourg, despite its small population, is disproportionately targeted, likely due to its high GDP per capita and concentration of valuable organizations.
Notably, the campaign’s distribution remains heavily European, with only isolated instances reported elsewhere.
Evasion Techniques
Initially, the attackers distributed their trojanized PDFs through spoofed or lookalike business email domains, often posing as real internal employees.
Recent innovations include using Zendesk, a legitimate customer support platform, as a secondary vector embedding malicious download links within support tickets and replies.
According to the report, these links, hidden inside PDFs hosted on trusted Zendesk infrastructure, evade traditional email security filters due to their reputable, non-malicious appearance. Multiple off-the-shelf RMM solutions have been abused in this campaign.
WithSecure identified usage of platforms such as FleetDeck, Atera, Bluetrait, OptiTune, Syncro, Action1, SuperOps, and ScreenConnect.
The attackers select these tools not for their advanced features, but primarily for their immediacy: installers that require no further configuration and which grant attackers remote access upon execution.
Some cases involved obfuscation tactics such as embedding redirect URLs to hinder threat tracking and attribution by defenders.
PDF metadata reveals inconsistent author names and varying creation tools, including Microsoft Word, Canva, and ILovePDF.
This variety suggests either the use of automation or deliberate efforts to evade detection through metadata randomization.
Mitigation against such attacks requires a layered approach: organizations should block RMM installer downloads if such tools are not sanctioned, implement application allowlisting, and enforce strict controls over remote access software installations.
Security teams must alert on unusual process chains, such as browsers launched from PDFs to download executables. Regular employee training on the risks of socially engineered remote access requests remains equally critical.
As attackers refine their delivery vectors and exploit the trust placed in legitimate applications, organizations must stay vigilant to the abuse of ordinary IT tools for malicious ends.
Continuous monitoring, rapid detection of unauthorized remote access, and strict policy enforcement are essential to disrupt initial access attempts, particularly as threat actors increasingly leverage RMM utilities to silently bridge the gap between benign administration and full-blown compromise.
Key Indicators of Compromise (IOCs)
| RMM Tool | Example Download URLs |
|---|---|
| FleetDeck | hxxps://agent[.]fleetdeck[.]io/QsoxdPZw4B9TXSgRtqBnNM?win |
| Action1 | hxxps://app[.]eu[.]action1[.]com/agent/7409f2b3-8fe0-11ef-8ef6-9f7ccf3fde70/Windows/agent(My_Organization)[.]msi |
| Bluetrait | hxxps://moduleadobeu[.]bluetrait[.]io/simple/msp_download_agent?os=windows&access_key=8f92d3… |
| OptiTune | hxxps://manage[.]opti-tune[.]com/agent/download[.]ashx?id=c6292c97-823b-4075-be7f-c703d7… |
| Atera | hxxps://helpdesksupport1747151491046[.]servicedesk[.]atera[.]com/GetAgent/Msi/?customerId=1… |
| Syncro | hxxps://rmm[.]syncromsp[.]com/dl/msi/djEtMzMyOTI3NTMtMTc3MjU3OTUxMi03MjgxNC00Mjc0NTk1 |
| SuperOps | Action 1 |
| ScreenConnect | hxxps://www[.]hpgas8[.]top/Bin/secure[.]ClientSetup[.]msi?e=Access&y=Guest |
| Example Zendesk PDF | hxxps://ttsonline[.]zendesk[.]com/attachments/token/LkWkQiX9tZyPCn51DKqQv2gn6/?name=RECORDATORIO+IMPORTANTE[.]pdf |
| Sample PDF SHA256 | a8dc8dd2f71366010a74a0e31e21d86a29a418cfc8f7574ce290bb4009417da0 |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
 tools.){kind=link}